Impersonation attacks are on the rise as attackers switch gears to target an increasingly remote and distracted workforce. Impersonation not only enables cybercriminals to gain trust and manipulate victims into disclosing sensitive data, but also significantly boosts their ability to successfully execute cybercrime. Such attacks are usually hard to detect and at times, leverage legitimate resources and channels for execution.
Impersonation attacks may not be new to the world of cybercrime but they are becoming increasingly sophisticated and more targeted than ever before. Let’s understand the top 5 impersonation techniques used by cybercriminals in 2021:
#1: Domain spoofing and lookalike domains: Domain spoofing involves the use of the exact same domain name while hiding or spoofing its real address. Attackers often use this technique to masquerade bogus domain names and trick users into thinking they’re legit. Look-alike or cousin domains involve domains that have near-identical names, bearing subtle differences. For example, adding a word, symbol or character to the original name (e.g., microsooft.com) or using an alternate top-level domain (e.g., using .com instead of .gov). It is estimated that scammers send a staggering 3.1 billion domain spoofing emails a day.
#2: Website spoofing: Cybercriminals use website spoofing to create fake copies of legitimate websites, complete with graphics, branding, logos, login screens and look-alike URLs. The goal of website spoofing is often to harvest login credentials or steal credit card information. According to researchers, hackers leveraged Covid-19 and spoofed several websites in 2020 like the World Health Organisation, the Internal Revenue Service and the Centers for Disease Control, in a bid to harvest user credentials. Attackers even went to the extent of spoofing a website of a leading cybersecurity vendor.
#3: Account takeover (ATO): As the name suggests, cybercriminals hack and impersonate compromised accounts to intercept private communications or steal sensitive information. Usually an ATO attack is the first step in a much larger scheme. Account takeover is one of the biggest frauds hitting consumers today. ATO usually involves theft of an email or social media credentials, which are then used to launch a targeted phishing campaign. For example, an attacker that steals credentials of a key executive might launch a Business Email Compromise attack that results in other employees transferring money or information.
#4: Email spoofing and impersonations: A staggering 94% of malware is delivered through email, usually emulating a trusted source. Opportunistic fraudsters trick users into clicking on a link, downloading malware, giving up banking details, or divulging sensitive data. More than 7,000 CEOs were impersonated since Covid-19 started and have accounted for more than half of cybercrime losses last year. Microsoft, Facebook and Paypal were among the most impersonated brands in 2020. Since a majority of the workforce is working remotely attackers are increasingly sending impersonation emails that resemble notifications from video meeting apps like Zoom, Microsoft Teams and Skype. Fake Office 365 password expiration notifications are also reportedly being sent to global high-ranking executives since May 2020.
#5: Impersonation-as-a-service (IMPaaS): This is perhaps the most dangerous impersonation trend documented in recent times. The world of cybercrime may have already witnessed service-oriented offerings like ransomware-as-a-service or phishing-as-a-service, however, this is the first time the world has come across a service model designed around commodification of impersonation. A now defunct Russian website that was offered hundreds of thousands of compromised victim profiles. These reportedly included user credentials, cookies, device and behavioral fingerprints, and other metadata that could help circumvent multi-factor authentication (MFA) mechanisms. This means that a cybercriminal (who may even lack the technical expertise to harvest user credentials) could purchase an account of an individual at a particular company, in a certain vertical, having a specific job title or function, etc. and take over as that person – not just on email, but able to access resources secured behind MFA.
Best practices to reduce the risk of impersonation attacks
Impersonation is a difficult challenge to address. In order to effectively address this problem, you need to understand what is being impersonated and work towards plugging the loopholes systematically. Here are a couple of best practices to get started:
- Use DMARC, DKIM and SPF email security protocols: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC) help prevent malicious third parties from spoofing your email domain. However, for this technology to work effectively, both email senders and email receivers must enable this on both sides. While this technology doesn’t work perfectly, it can certainly help reduce impersonation
- Train users to make the right security decision, every single time: Studies show that if security awareness training is done right, users develop muscle memory to recognise rogue emails and this helps reduce the average Phish-Prone Percentage (PPP) by up to 60%. Impersonation attacks use humans as conduits, and there is no better way of stopping impersonation than making your weakest link (people) stronger. Remember that a chain is only as strong as its weakest link
Photo by ANIRUDH on Unsplash
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.